Security Firm Points to Flaw in Google Glass

As an early example of a new form of computing, Google Glass was likely to have kinks. Lookout Security says it has found one.

The San Francisco-based mobile-security firm says it recently discovered a security flaw in Google 's wearable, Web-connected device, which places a screen and camera above a person’s eye. Its findings underscore the broader security concerns that are being raised as more everyday objects become connected to the Web.

Lookout’s Marc Rogers, a principal security researcher, found that when a Google Glass wearer used the device to photograph something that had a “QR” code, or website link, the device automatically executed the code’s command or opened the URL without first asking the wearer.

The vulnerability, at least in theory, could allow hackers to plaster malicious codes and links in public spaces and gain control over the device if it ever took an image that contained them. Hackers, for example, could spy on wearers’ personal information or force the device to send costly SMS messages that might financially benefit the hackers, among other schemes. (This video describes the issue.)

After reporting the problem to Google in mid-May, the company fixed it within a couple of weeks, he said.

Of course, Glass won’t be sold to the public until next year and Google has only handed it out to several thousand “explorers,” mainly software developers who may write programs for the device and are giving feedback to the company.

And the Glass vulnerability doesn’t hold a candle to a security issue discovered earlier this year involving Google’s Android mobile software.

So why is the Glass flaw notable?

From thermostats and printers to silverware (yes, silverware) and watches, billions of devices are now connected to the Web and can be highly useful to users. They can also be used against us.

For instance, a Web-connected industrial valve could be hacked and turn on or off in order to sabotage a facility, Rogers said. A Web-connected insulin pump or other biomedical devices now worn by people could be hacked and used to kill them, he said. Lookout says certain insulin pumps are currently vulnerable to hacking.

“There are more things for bad guys to attack,” said Lookout cofounder Kevin Mahaffey. But he added that precisely because the devices are Web-connected, there is also a greater ability for “good guys” to create large-scale systems to protect them.

He praised Google’s approach to security and said that if most companies aren’t as responsive, “we’re in for a bumpy ride” as more devices come online in what’s known as the “Internet of Things.”

A Google spokeswoman declined to comment specifically about the issue raised by Lookout. But she but said in a statement that the company wanted to “get Glass into the hands of all sorts of people, listen to their feedback, see the inspirational ways they use the technology, and discover vulnerabilities that we can research and work to address before we launch Glass more broadly.”